08-09-2017 01:46 PM - edited 03-05-2019 08:59 AM
Hello Guys
i m new to Cisco and need some help to forward the range of ports on Cisco 871 router to allow remote network phones to connect back to the PBX behind the Cisco 871 router.My ip for PBX itself is 10.10.10.250 and 10.10.10.251 is the DSP card inside the PBX.And i need to forward RTP ports 16000-16511 to PBX's DSP card which is 10.10.10.251.I know how to forward single port to single internal ip like this.
ip nat inside source static tcp 10.10.10.250 35300 interface Dialer0 35300
ip nat inside source static udp 10.10.10.250 9300 interface Dialer0 9300
ip nat inside source static udp 10.10.10.250 2727 interface Dialer0 2727
but i DO NOT know how to do the range of ports.i m attaching the snap shot from existing Cisco rv042 router that's in use right now and also the config that i have prepared on Cisco 871 for this same case.So if someone can look at the config and reply back with an idea or sloutions that woudl be really helpfull.Thanks in advance guys
08-09-2017 02:33 PM
Hello
Try this:
ip access-list extended STAN_acl
permit udp host 10.10.10.250 range 1600 16511 any
permit udp host 10.10.10.250 eq 2727 any
permit udp host 10.10.10.250 eq 9300 any
permit tcp host 10.10.10.250 eq 35300 any
route-map STAN_rm
match ip address STAN_acl
ip nat inside source static 10.10.10.250 x,x,x,x route-map STAN_rm
res
Paul
08-09-2017 02:36 PM
Hello Paul
first of all thanks for taking the time to help on this............
I will give it a try right now.Thanks again.Bye for now
08-09-2017 02:45 PM
Hello Paul
i was trying this config but i noticed that you have forward all the ports(2727,9300,35300,16000-16511) to 10.10.10.250 which is my pbx's main ip address and for that i only need to forward 9300,2727(UDP),35300(TCP) only but ports RTP 16000-16511 has to be forwarded to PBX's DSP card which has 10.10.10.251 ip not 250.
So now does that mean i need to of these commands
ip nat inside source static 10.10.10.250 x,x,x,x route-map STAN_rm or can i squeeze in everything in this one command some how? and also when u type x.x.x.x,does that mean thats my subnet mask which is 255.255.255.0 ?Please help thanks
08-10-2017 02:51 AM
Hello
You correct I mis-read you Portsopen.jpg it has varous addressing which I didnt notice
I can see your internal network - the network you wish to nat from (INSIDE) has a range of 10.10.10.0/24
So can you clatify that you wish to nat from these two hosts 10.10.10.250 and 251 towards hosts 10.10.9.250 and 10.10.9.251 via the dialer 0 interface ( outside)
res
Paul
08-10-2017 05:05 AM
Hello Paul
Both of them are my internal netwroks at two different locations but that's just an example for you.
So in my lab I have 10.10.10.0/24 as internal network but at one of my clients has 10.10.9.0/24 as internal network
it for port forwarding I want to use any of these let's say 10.10.10.0 because I have that in lab and I have two real separate internet connection to make real test.So the WAN (outsode) are UNKNOWN because those 2 to 3 locations are remote users working from their homes.So I don't know even if they have static IPs or not.So we have only know our internal network but from outside it could any public ip we don't know.
We know that we have WAN Static ip and our internal range for dhcp but outside world is unknown.
so I want to nat 35300(tcp) and 2727,9300(UDP) towards 10.10.10.250 (PBX)
also16000-16511(UDP) towards 10.10.10.251(Pbx's DSP card)when the request comes from outside world.
thanks
08-10-2017 06:38 AM
Hello
thanks for the clarification
try this then;
ip access-list extended STAN_acl
permit udp host 10.10.10.250 eq 2727 any
permit udp host 10.10.10.250 eq 9300 any
permit tcp host 10.10.10.250 eq 35300 any
route-map STAN_rm
match ip address STAN_acl
ip nat inside source static 10.10.10.250 (next hop ip) route-map STAN_rm
ip access-list extended STAN2_acl
permit udp host 10.10.9.251 range 1600 16511 any
route-map STAN2_rm
match ip address STAN2_acl
ip nat inside source static 10.10.9.251 (next-hop ip) route-map STAN2_rm
Nots: the next hop ip will e the addressing obtained y dialer 0
Res
Paul
08-10-2017 07:42 AM
ok awesome Paul
so now when u say the ip addressing obtained by the dialer 0 that means my static ip which i recieved for my pppoe settings from my ISP,am i right ?
so in that case the command will look something like this......
ip nat inside source static 10.10.10.9.251 165.154.120.96 route-map STAN_rm
and for the RTP ports the second acl route-map will look like this
ip nat inside source static 10.10.10.251 165.154.120.96 route-map STAN2_rm
and also i guess that was again typo error when u mentioned the second acl u have put 10.10.9.251 instead of 10.10.10.251
Thanks again Paul i will try this today.
08-10-2017 05:47 PM
Hello Paul
so i tried these commands today but no luck.
so when i give all those commands the router seems to take all of the commands but when i go back and run show run command than i dont see my second entry for the route map,i only see the very first entry which is this...........(ip nat inside source static 10.10.10.9.251 165.154.120.96 route-map STAN_rm) but the other entry does not even appear.
and also when i do these commands the router puts 10 behind both of these commands like this
route-map STAN_rm permit 10
match ip address STAN_acl
route-map STAN2_rm permit 10
match ip address STAN2_acl
So maybe becuase of the 10 behind these thats why it didn't work.
and just so u know i tried resting the cisco 871 twice and did static statements for the ports 2727,9300(udp) and 35300(tcp) and i noticed as soon as i do these statements the remote phones registers with the pbx and starts working but NO AUDIO on any side.
But up to that point i have gone long ago.my only issues is the RTP ports from 16000-16511 for sip.thats it.
THANKS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide